On Fri, Feb 02, 2024 at 12:11:58AM +0200, Alexander Bokovoy via FreeIPA-users wrote:
On Чцв, 01 лют 2024, Steve Berg via FreeIPA-users wrote:
Is there anyway to just delete all these SID requirements? My ipa domain doesn't have a trust to anything windows and there's no plan to ever set that up.
No.
S4U protocol extensions for Kerberos are requiring PAC buffers presence as per the MS-SFU spec. The changes came in in 2021 as a part of the fixes to 'dollar sign attack'. You can get a partial view of that with https://wiki.samba.org/index.php/Security/Dollar_Ticket_Attack or several talks we gave over past few years at various conferences. Most notable:
Andrew Bartlett, "sambaXP 2022: The Inside Story on the Dollar Ticket Attack" https://www.youtube.com/watch?v=1BnraIAcybg
Andreas Schneider, Alexander Bokovoy, "sambaXP 2023: Samba AD / MIT Kerberos: path out of experimental" https://www.youtube.com/watch?v=0_cdYuIYw0o
Those attacks are against MS Windows (and Samba?) I would say they're not relevant to majority of FreeIPA deployments, which have nothing to do with Windows.